inspec 1.0.0.beta2 → 1.0.0.beta3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (95) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +41 -2
  3. data/Gemfile +4 -0
  4. data/Rakefile +2 -1
  5. data/docs/.gitignore +2 -0
  6. data/docs/README.md +21 -1
  7. data/docs/resources/apache_conf.md.erb +75 -0
  8. data/docs/resources/apt.md.erb +84 -0
  9. data/docs/resources/audit_policy.md.erb +61 -0
  10. data/docs/resources/auditd_conf.md.erb +79 -0
  11. data/docs/resources/auditd_rules.md.erb +132 -0
  12. data/docs/resources/bash.md.erb +84 -0
  13. data/docs/resources/bond.md.erb +97 -0
  14. data/docs/resources/bridge.md.erb +67 -0
  15. data/docs/resources/bsd_service.md.erb +76 -0
  16. data/docs/resources/command.md.erb +151 -0
  17. data/docs/resources/csv.md.erb +62 -0
  18. data/docs/resources/directory.md.erb +43 -0
  19. data/docs/resources/etc_group.md.erb +116 -0
  20. data/docs/resources/etc_passwd.md.erb +155 -0
  21. data/docs/resources/etc_shadow.md.erb +149 -0
  22. data/docs/resources/file.md.erb +460 -0
  23. data/docs/resources/gem.md.erb +73 -0
  24. data/docs/resources/group.md.erb +74 -0
  25. data/docs/resources/grub_conf.md.erb +115 -0
  26. data/docs/resources/host.md.erb +85 -0
  27. data/docs/resources/iis_site.md.erb +142 -0
  28. data/docs/resources/inetd_conf.md.erb +99 -0
  29. data/docs/resources/ini.md.erb +69 -0
  30. data/docs/resources/interface.md.erb +66 -0
  31. data/docs/resources/iptables.md.erb +70 -0
  32. data/docs/resources/json.md.erb +76 -0
  33. data/docs/resources/kernel_module.md.erb +60 -0
  34. data/docs/resources/kernel_parameter.md.erb +72 -0
  35. data/docs/resources/launchd_service.md.erb +76 -0
  36. data/docs/resources/limits_conf.md.erb +80 -0
  37. data/docs/resources/login_def.md.erb +77 -0
  38. data/docs/resources/mount.md.erb +83 -0
  39. data/docs/resources/mysql_conf.md.erb +102 -0
  40. data/docs/resources/mysql_session.md.erb +63 -0
  41. data/docs/resources/npm.md.erb +75 -0
  42. data/docs/resources/ntp_conf.md.erb +76 -0
  43. data/docs/resources/oneget.md.erb +67 -0
  44. data/docs/resources/os.md.erb +154 -0
  45. data/docs/resources/os_env.md.erb +98 -0
  46. data/docs/resources/package.md.erb +115 -0
  47. data/docs/resources/parse_config.md.erb +122 -0
  48. data/docs/resources/parse_config_file.md.erb +143 -0
  49. data/docs/resources/pip.md.erb +74 -0
  50. data/docs/resources/port.md.erb +150 -0
  51. data/docs/resources/postgres_conf.md.erb +90 -0
  52. data/docs/resources/postgres_session.md.erb +75 -0
  53. data/docs/resources/powershell.md.erb +116 -0
  54. data/docs/resources/process.md.erb +73 -0
  55. data/docs/resources/registry_key.md.erb +149 -0
  56. data/docs/resources/runit_service.md.erb +76 -0
  57. data/docs/resources/security_policy.md.erb +61 -0
  58. data/docs/resources/service.md.erb +135 -0
  59. data/docs/resources/ssh_config.md.erb +94 -0
  60. data/docs/resources/sshd_config.md.erb +97 -0
  61. data/docs/resources/ssl.md.erb +133 -0
  62. data/docs/resources/sys_info.md.erb +55 -0
  63. data/docs/resources/systemd_service.md.erb +76 -0
  64. data/docs/resources/sysv_service.md.erb +76 -0
  65. data/docs/resources/upstart_service.md.erb +76 -0
  66. data/docs/resources/user.md.erb +154 -0
  67. data/docs/resources/users.md.erb +140 -0
  68. data/docs/resources/vbscript.md.erb +69 -0
  69. data/docs/resources/windows_feature.md.erb +61 -0
  70. data/docs/resources/wmi.md.erb +95 -0
  71. data/docs/resources/xinetd_conf.md.erb +170 -0
  72. data/docs/resources/yaml.md.erb +69 -0
  73. data/docs/resources/yum.md.erb +103 -0
  74. data/docs/ruby_usage.md +154 -0
  75. data/docs/shared/matcher_be.md.erb +1 -0
  76. data/docs/shared/matcher_cmp.md.erb +45 -0
  77. data/docs/shared/matcher_eq.md.erb +3 -0
  78. data/docs/shared/matcher_include.md.erb +1 -0
  79. data/docs/shared/matcher_match.md.erb +1 -0
  80. data/lib/fetchers/url.rb +27 -29
  81. data/lib/inspec/cached_fetcher.rb +67 -0
  82. data/lib/inspec/dependencies/requirement.rb +6 -7
  83. data/lib/inspec/objects/each_loop.rb +5 -2
  84. data/lib/inspec/plugins/fetcher.rb +2 -0
  85. data/lib/inspec/profile.rb +9 -41
  86. data/lib/inspec/resource.rb +1 -1
  87. data/lib/inspec/rspec_json_formatter.rb +11 -5
  88. data/lib/inspec/version.rb +1 -1
  89. data/lib/resources/groups.rb +190 -0
  90. data/lib/resources/users.rb +3 -2
  91. metadata +79 -6
  92. data/docs/cli.rst +0 -448
  93. data/docs/resources.rst +0 -4836
  94. data/docs/ruby_usage.rst +0 -145
  95. data/lib/resources/group.rb +0 -137
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 714356a44147a3ea6f876aa73a6e51e1abac60b3
4
- data.tar.gz: 83e1f5f89edea538de7027ab4d0e07e161f0ee5d
3
+ metadata.gz: 75fea2e790e0dcea3951df73e3ad7976a5e8e659
4
+ data.tar.gz: b7bd822fd9b85f6da803b2078481089cb9801b83
5
5
  SHA512:
6
- metadata.gz: ebf142830517de967349b6fb1fea90f2b7d7beca3f7630903dd2d92259b78c9a28576f431091b929d96bd26ce89a66dd6ee8d02b25649232453966f2fd197665
7
- data.tar.gz: d9bca14a669035a4729a6de6b2ca6b1d4498498080915a94084190b3c40a7bf75124a75fec60b15e3257ac46f6d5f03ae2ce1734bebb1aed06c86eca42e3c0b3
6
+ metadata.gz: 705b7694c8d6dbecea6646f6f71c691774ae5946106e9381f47fdfb276848e7e0b1ca1c80e7c3db5ee3dbf6b8958ed0a1fa94b6f75d5abea19ac555bfc44f095
7
+ data.tar.gz: fd38cbdb8d6f3d9063283a9c9f774e7d0f412e5bc1d697dc9cbeeed29dd911b239470b18d273d691fe7ddf53c3699359895cdb8a0b354f6a6f38205ae890d738
data/CHANGELOG.md CHANGED
@@ -1,7 +1,46 @@
1
1
  # Change Log
2
2
 
3
- ## [1.0.0.beta2](https://github.com/chef/inspec/tree/1.0.0.beta2) (2016-09-22)
4
- [Full Changelog](https://github.com/chef/inspec/compare/v1.0.0.pre.beta1...1.0.0.beta2)
3
+ ## [1.0.0.beta3](https://github.com/chef/inspec/tree/1.0.0.beta3) (2016-09-25)
4
+ [Full Changelog](https://github.com/chef/inspec/compare/v1.0.0.beta2...1.0.0.beta3)
5
+
6
+ **Implemented enhancements:**
7
+
8
+ - Improve lockfile handling [\#1070](https://github.com/chef/inspec/issues/1070)
9
+ - Show skip\_message and correct title [\#1109](https://github.com/chef/inspec/pull/1109) ([alexpop](https://github.com/alexpop))
10
+
11
+ **Fixed bugs:**
12
+
13
+ - InSpec CLI output not showing skip message when control title is defined [\#1097](https://github.com/chef/inspec/issues/1097)
14
+ - bugfix: there is one more button to start the online demo [\#1140](https://github.com/chef/inspec/pull/1140) ([arlimus](https://github.com/arlimus))
15
+
16
+ **Closed issues:**
17
+
18
+ - add docs to inspec.io [\#1119](https://github.com/chef/inspec/issues/1119)
19
+ - Cache key for dependencies needs to be based on content hash for urls [\#1066](https://github.com/chef/inspec/issues/1066)
20
+
21
+ **Merged pull requests:**
22
+
23
+ - Enable builds on both Windows and \*nix [\#1145](https://github.com/chef/inspec/pull/1145) ([scotthain](https://github.com/scotthain))
24
+ - Website: Minor edits in preparation for launch [\#1144](https://github.com/chef/inspec/pull/1144) ([magwalk](https://github.com/magwalk))
25
+ - Truncate long filename. Temporary fix [\#1143](https://github.com/chef/inspec/pull/1143) ([stevendanna](https://github.com/stevendanna))
26
+ - add variables to each loops [\#1142](https://github.com/chef/inspec/pull/1142) ([chris-rock](https://github.com/chris-rock))
27
+ - embed tutorial in website [\#1139](https://github.com/chef/inspec/pull/1139) ([arlimus](https://github.com/arlimus))
28
+ - scope all tutorial assets [\#1138](https://github.com/chef/inspec/pull/1138) ([arlimus](https://github.com/arlimus))
29
+ - add build task for online tutorial with all assets [\#1137](https://github.com/chef/inspec/pull/1137) ([arlimus](https://github.com/arlimus))
30
+ - implement filter table for group/groups resource [\#1135](https://github.com/chef/inspec/pull/1135) ([chris-rock](https://github.com/chris-rock))
31
+ - fix minor typos in user resource [\#1134](https://github.com/chef/inspec/pull/1134) ([chris-rock](https://github.com/chris-rock))
32
+ - Website Copy Edits [\#1133](https://github.com/chef/inspec/pull/1133) ([magwalk](https://github.com/magwalk))
33
+ - add build tasks for www [\#1132](https://github.com/chef/inspec/pull/1132) ([arlimus](https://github.com/arlimus))
34
+ - add resources.md doc generation [\#1130](https://github.com/chef/inspec/pull/1130) ([arlimus](https://github.com/arlimus))
35
+ - add all resources to docs [\#1129](https://github.com/chef/inspec/pull/1129) ([arlimus](https://github.com/arlimus))
36
+ - reorder and fix sidebar contents for docs [\#1128](https://github.com/chef/inspec/pull/1128) ([arlimus](https://github.com/arlimus))
37
+ - add ruby usage in inspec as markdown [\#1127](https://github.com/chef/inspec/pull/1127) ([arlimus](https://github.com/arlimus))
38
+ - Add markdown docs [\#1125](https://github.com/chef/inspec/pull/1125) ([arlimus](https://github.com/arlimus))
39
+ - Avoid spurious downloads during dependency management [\#1124](https://github.com/chef/inspec/pull/1124) ([stevendanna](https://github.com/stevendanna))
40
+ - Website Design Fixes [\#1123](https://github.com/chef/inspec/pull/1123) ([magwalk](https://github.com/magwalk))
41
+
42
+ ## [v1.0.0.beta2](https://github.com/chef/inspec/tree/v1.0.0.beta2) (2016-09-22)
43
+ [Full Changelog](https://github.com/chef/inspec/compare/v1.0.0.pre.beta1...v1.0.0.beta2)
5
44
 
6
45
  **Implemented enhancements:**
7
46
 
data/Gemfile CHANGED
@@ -6,6 +6,7 @@ gemspec
6
6
  # detecting that net-ssh 3 does not work with 1.9.3
7
7
  if Gem::Version.new(RUBY_VERSION) <= Gem::Version.new('1.9.3')
8
8
  gem 'net-ssh', '~> 2.9'
9
+ gem 'tins', '~> 1.6.0'
9
10
  end
10
11
 
11
12
  if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.2.2')
@@ -23,6 +24,9 @@ group :test do
23
24
  gem 'simplecov', '~> 0.10'
24
25
  gem 'concurrent-ruby', '~> 0.9'
25
26
  gem 'mocha', '~> 1.1'
27
+ gem 'ruby-progressbar', '~> 1.8'
28
+ gem 'inquirer'
29
+ gem 'nokogiri', '~> 1.6'
26
30
  end
27
31
 
28
32
  group :integration do
data/Rakefile CHANGED
@@ -5,8 +5,9 @@ require 'bundler'
5
5
  require 'bundler/gem_tasks'
6
6
  require 'rake/testtask'
7
7
  require 'rubocop/rake_task'
8
- require_relative 'tasks/maintainers'
9
8
  require_relative 'tasks/docs'
9
+ require_relative 'tasks/maintainers'
10
+ require_relative 'tasks/www'
10
11
 
11
12
  # Rubocop
12
13
  desc 'Run Rubocop lint checks'
data/docs/.gitignore ADDED
@@ -0,0 +1,2 @@
1
+ resources.md
2
+ cli.md
data/docs/README.md CHANGED
@@ -6,7 +6,27 @@ The goal of this folder is for any community member to clone these docs, make th
6
6
 
7
7
  ## How to build docs
8
8
 
9
- TODO
9
+ We build docs by:
10
+
11
+ 1. Auto-generating docs from code
12
+ 2. Transforming markdown+snippets in this folder into pure markdown in `www/source/docs`
13
+ 3. Rendering them to the website via instructions in `www/`
14
+
15
+ For development, you **only need step 1**!
16
+
17
+ **1 Generate docs**
18
+
19
+ To generate all docs run:
20
+
21
+ ```
22
+ bundle exec rake docs
23
+ ```
24
+
25
+ You can run tasks individually. For a list of tasks run:
26
+
27
+ ```
28
+ bundle exec rake --tasks docs
29
+ ```
10
30
 
11
31
  ## Stability Index
12
32
 
@@ -0,0 +1,75 @@
1
+ ---
2
+ title: About the apache_conf Resource
3
+ ---
4
+
5
+ # apache_conf
6
+
7
+ Use the `apache_conf` InSpec audit resource to test the configuration settings for Apache. This file is typically located under `/etc/apache2` on the Debian and Ubuntu platforms and under `/etc/httpd` on the Fedora, CentOS, RedHat Enterprise Linux, and ArchLinux platforms. The configuration settings may vary significantly from platform to platform.
8
+
9
+ # Syntax
10
+
11
+ An `apache_conf` InSpec audit resource block declares configuration settings that should be tested:
12
+
13
+ describe apache_conf('path') do
14
+ its('setting_name') { should eq 'value' }
15
+ end
16
+
17
+ where
18
+
19
+ * `'setting_name'` is a configuration setting defined in the Apache configuration file
20
+ * `('path')` is the non-default path to the Apache configuration file
21
+ * `{ should eq 'value' }` is the value that is expected
22
+
23
+ # Matchers
24
+
25
+ This InSpec audit resource matches any service that is listed in the Apache configuration file:
26
+
27
+ its('PidFile') { should_not eq '/var/run/httpd.pid' }
28
+
29
+ or:
30
+
31
+ its('Timeout') { should eq 300 }
32
+
33
+ For example:
34
+
35
+ describe apache_conf do
36
+ its('MaxClients') { should eq 100 }
37
+ its('Listen') { should eq '443'}
38
+ end
39
+
40
+
41
+ ## be
42
+
43
+ <%= partial "/shared/matcher_be" %>
44
+
45
+ ## cmp
46
+
47
+ <%= partial "/shared/matcher_cmp" %>
48
+
49
+ ## eq
50
+
51
+ <%= partial "/shared/matcher_eq" %>
52
+
53
+ ## include
54
+
55
+ <%= partial "/shared/matcher_include" %>
56
+
57
+ ## match
58
+
59
+ <%= partial "/shared/matcher_match" %>
60
+
61
+ # Examples
62
+
63
+ The following examples show how to use this InSpec audit resource.
64
+
65
+ ## Test for blocking .htaccess files on CentOS
66
+
67
+ describe apache_conf do
68
+ its('AllowOverride') { should eq 'None' }
69
+ end
70
+
71
+ ## Test ports for SSL
72
+
73
+ describe apache_conf do
74
+ its('Listen') { should eq '443'}
75
+ end
@@ -0,0 +1,84 @@
1
+ ---
2
+ title: About the apt Resource
3
+ ---
4
+
5
+ # apt
6
+
7
+ Use the `apt` InSpec audit resource to verify Apt repositories on the Debian and Ubuntu platforms, and also PPA repositories on the Ubuntu platform.
8
+
9
+ # Syntax
10
+
11
+ An `apt` resource block tests the contents of Apt and PPA repositories:
12
+
13
+ describe apt('path') do
14
+ it { should exist }
15
+ it { should be_enabled }
16
+ end
17
+
18
+ where
19
+
20
+ * `apt('path')` must specify an Apt or PPA repository
21
+ * `('path')` may be an `http://` address, a `ppa:` address, or a short `repo-name/ppa` address
22
+ * `exist` and `be_enabled` are a valid matchers for this resource
23
+
24
+
25
+ # Matchers
26
+
27
+ This InSpec audit resource has the following matchers:
28
+
29
+ ## be
30
+
31
+ <%= partial "/shared/matcher_be" %>
32
+
33
+ ## be_enabled
34
+
35
+ The `be_enabled` matcher tests if a package exists in the repository:
36
+
37
+ it { should be_enabled }
38
+
39
+ ## cmp
40
+
41
+ <%= partial "/shared/matcher_cmp" %>
42
+
43
+ ## eq
44
+
45
+ <%= partial "/shared/matcher_eq" %>
46
+
47
+ ## exist
48
+
49
+ The `exist` matcher tests if a package exists on the system:
50
+
51
+ it { should exist }
52
+
53
+ ## include
54
+
55
+ <%= partial "/shared/matcher_include" %>
56
+
57
+ ## match
58
+
59
+ <%= partial "/shared/matcher_match" %>
60
+
61
+ # Examples
62
+
63
+ The following examples show how to use this InSpec audit resource.
64
+
65
+ ## Test if apt repository exists and is enabled
66
+
67
+ describe apt('http://ppa.launchpad.net/juju/stable/ubuntu') do
68
+ it { should exist }
69
+ it { should be_enabled }
70
+ end
71
+
72
+ ## Verify that a PPA repository exists and is enabled
73
+
74
+ describe apt('ppa:nginx/stable') do
75
+ it { should exist }
76
+ it { should be_enabled }
77
+ end
78
+
79
+ ## Verify that a repository is not present
80
+
81
+ describe apt('ubuntu-wine/ppa') do
82
+ it { should_not exist }
83
+ it { should_not be_enabled }
84
+ end
@@ -0,0 +1,61 @@
1
+ ---
2
+ title: About the audit_policy Resource
3
+ ---
4
+
5
+ # audit_policy
6
+
7
+ Use the `audit_policy` Inspec audit resource to test auditing policies on the Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each auditing category property that is enabled, the auditing level may be set to `No Auditing`, `Not Specified`, `Success`, `Success and Failure`, or `Failure`.
8
+
9
+ # Syntax
10
+
11
+ An `audit_policy` resource block declares a parameter that belongs to an audit policy category or subcategory:
12
+
13
+ describe audit_policy do
14
+ its('parameter') { should eq 'value' }
15
+ end
16
+
17
+ where
18
+
19
+ * `'parameter'` must specify a parameter
20
+ * `'value'` must be one of `No Auditing`, `Not Specified`, `Success`, `Success and Failure`, or `Failure`
21
+
22
+
23
+ # Matchers
24
+
25
+ This InSpec audit resource has the following matchers:
26
+
27
+ ## be
28
+
29
+ <%= partial "/shared/matcher_be" %>
30
+
31
+ ## cmp
32
+
33
+ <%= partial "/shared/matcher_cmp" %>
34
+
35
+ ## eq
36
+
37
+ <%= partial "/shared/matcher_eq" %>
38
+
39
+ ## include
40
+
41
+ <%= partial "/shared/matcher_include" %>
42
+
43
+ ## match
44
+
45
+ <%= partial "/shared/matcher_match" %>
46
+
47
+ # Examples
48
+
49
+ The following examples show how to use this InSpec audit resource.
50
+
51
+ ## Test that a parameter is not set to "No Auditing"
52
+
53
+ describe audit_policy do
54
+ its('Other Account Logon Events') { should_not eq 'No Auditing' }
55
+ end
56
+
57
+ ## Test that a parameter is set to "Success"
58
+
59
+ describe audit_policy do
60
+ its('User Account Management') { should eq 'Success' }
61
+ end
@@ -0,0 +1,79 @@
1
+ ---
2
+ title: About the auditd_conf Resource
3
+ ---
4
+
5
+ # auditd_conf
6
+
7
+ Use the `auditd_conf` InSpec audit resource to test the configuration settings for the audit daemon. This file is typically located under `/etc/audit/auditd.conf'` on Unix and Linux platforms.
8
+
9
+ # Syntax
10
+
11
+ A `auditd_conf` resource block declares configuration settings that should be tested:
12
+
13
+ describe auditd_conf('path') do
14
+ its('keyword') { should cmp 'value' }
15
+ end
16
+
17
+ where
18
+
19
+ * `'keyword'` is a configuration setting defined in the `auditd.conf` configuration file
20
+ * `('path')` is the non-default path to the `auditd.conf` configuration file
21
+ * `{ should cmp 'value' }` is the value that is expected
22
+
23
+
24
+ # Matchers
25
+
26
+ This InSpec audit resource has the following matchers:
27
+
28
+ ## be
29
+
30
+ <%= partial "/shared/matcher_be" %>
31
+
32
+ ## cmp
33
+
34
+ <%= partial "/shared/matcher_cmp" %>
35
+
36
+ ## eq
37
+
38
+ <%= partial "/shared/matcher_eq" %>
39
+
40
+ ## include
41
+
42
+ <%= partial "/shared/matcher_include" %>
43
+
44
+ ## keyword
45
+
46
+ This matcher will matche any keyword that is listed in the `auditd.conf` configuration file. Option names and values are case-insensitive:
47
+
48
+ its('log_format') { should cmp 'raw' }
49
+
50
+ or:
51
+
52
+ its('max_log_file') { should cmp 6 }
53
+
54
+ ## match
55
+
56
+ <%= partial "/shared/matcher_match" %>
57
+
58
+ # Examples
59
+
60
+ The following examples show how to use this InSpec audit resource.
61
+
62
+ ## Test the auditd.conf file
63
+
64
+ describe auditd_conf do
65
+ its('log_file') { should cmp '/full/path/to/file' }
66
+ its('log_format') { should cmp 'raw' }
67
+ its('flush') { should cmp 'none' }
68
+ its('freq') { should cmp 1 }
69
+ its('num_logs') { should cmp 0 }
70
+ its('max_log_file') { should cmp 6 }
71
+ its('max_log_file_action') { should cmp 'email' }
72
+ its('space_left') { should cmp 2 }
73
+ its('action_mail_acct') { should cmp 'root' }
74
+ its('space_left_action') { should cmp 'email' }
75
+ its('admin_space_left') { should cmp 1 }
76
+ its('admin_space_left_action') { should cmp 'halt' }
77
+ its('disk_full_action') { should cmp 'halt' }
78
+ its('disk_error_action') { should cmp 'halt' }
79
+ end
@@ -0,0 +1,132 @@
1
+ ---
2
+ title: About the auditd_rules Resource
3
+ ---
4
+
5
+ # auditd_rules
6
+
7
+ Use the `auditd_rules` InSpec audit resource to test the rules for logging that exist on the system. The `audit.rules` file is typically located under `/etc/audit/` and contains the list of rules that define what is captured in log files. This resource uses `auditctl` to query the run-time `auditd` rules setup, which may be different from `audit.rules`.
8
+
9
+
10
+ # Syntax
11
+
12
+ An `auditd_rules` resource block declares one (or more) rules to be tested, and then what that rule should do. The syntax depends on the version of `audit`:
13
+
14
+ For `audit` >= 2.3:
15
+
16
+ describe auditd_rules do
17
+ its('lines') { should contain_match(rule) }
18
+ end
19
+
20
+ For `audit` < 2.3:
21
+
22
+ describe audit_daemon_rules do
23
+ its("LIST_RULES") {
24
+ rule
25
+ }
26
+ end
27
+
28
+ For example:
29
+
30
+ describe auditd_rules do
31
+ its('LIST_RULES') { should eq [
32
+ 'exit,always syscall=rmdir,unlink',
33
+ 'exit,always auid=1001 (0x3e9) syscall=open',
34
+ 'exit,always watch=/etc/group perm=wa',
35
+ 'exit,always watch=/etc/passwd perm=wa',
36
+ 'exit,always watch=/etc/shadow perm=wa',
37
+ 'exit,always watch=/etc/sudoers perm=wa',
38
+ 'exit,always watch=/etc/secret_directory perm=r',
39
+ ] }
40
+ end
41
+
42
+ or test that individual rules are defined:
43
+
44
+ describe auditd_rules do
45
+ its('LIST_RULES') {
46
+ should contain_match(/^exit,always watch=\/etc\/group perm=wa key=identity/)
47
+ }
48
+ its('LIST_RULES') {
49
+ should contain_match(/^exit,always watch=\/etc\/passwd perm=wa key=identity/)
50
+ }
51
+ its('LIST_RULES') {
52
+ should contain_match(/^exit,always watch=\/etc\/gshadow perm=wa key=identity/)
53
+ }
54
+ its('LIST_RULES') {
55
+ should contain_match(/^exit,always watch=\/etc\/shadow perm=wa key=identity/)
56
+ }
57
+ its('LIST_RULES') {
58
+ should contain_match(/^exit,always watch=\/etc\/security\/opasswd perm=wa key=identity/)
59
+ }
60
+ end
61
+
62
+ where each test must declare one (or more) rules to be tested.
63
+
64
+
65
+ # Matchers
66
+
67
+ This InSpec audit resource has the following matchers:
68
+
69
+ ## be
70
+
71
+ <%= partial "/shared/matcher_be" %>
72
+
73
+ ## cmp
74
+
75
+ <%= partial "/shared/matcher_cmp" %>
76
+
77
+ ## eq
78
+
79
+ <%= partial "/shared/matcher_eq" %>
80
+
81
+ ## include
82
+
83
+ <%= partial "/shared/matcher_include" %>
84
+
85
+ ## match
86
+
87
+ <%= partial "/shared/matcher_match" %>
88
+
89
+ # Examples
90
+
91
+ The following examples show how to use this InSpec audit resource.
92
+
93
+ ## Test if a rule contains a matching element that is identified by a regular expression
94
+
95
+ For `audit` >= 2.3:
96
+
97
+ describe auditd_rules do
98
+ its('lines') { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
99
+ end
100
+
101
+ For `audit` < 2.3:
102
+
103
+ describe audit_daemon_rules do
104
+ its("LIST_RULES") {
105
+ should contain_match(/^exit,always arch=.*\
106
+ key=time-change\
107
+ syscall=adjtimex,settimeofday/)
108
+ }
109
+ end
110
+
111
+
112
+ ## Query the audit daemon status
113
+
114
+ describe auditd_rules.status('backlog') do
115
+ it { should cmp 0 }
116
+ end
117
+
118
+ ## Query properties of rules targeting specific syscalls or files
119
+
120
+ describe auditd_rules.syscall('open').action do
121
+ it { should eq(['always']) }
122
+ end
123
+
124
+ describe auditd_rules.key('sshd_config') do
125
+ its('permissions') { should contain_match(/x/) }
126
+ end
127
+
128
+ Filters may be chained. For example:
129
+
130
+ describe auditd_rules.syscall('open').action('always').list do
131
+ it { should eq(['exit']) }
132
+ end